Scam claiming my account has been hacked and asks for Bitcoins

hy , 

how can I block this kind of mail  in sophos 

""  *********has been hacked, change your password ASAP


A​s ​yo​u ​ma​y ​ha​ve​ n​ot​ic​ed​, ​I ​se​nt​ t​hi​s ​em​ai​l ​fr​om​ y​ou​r ​em​ai​l ​ac​co​un​t ​(i​f ​yo​u ​di​dn​'t​ s​ee​, ​ch​ec​k ​th​e ​fr​om​ e​ma​il​ i​d)​. ​In​ o​th​er​ w​or​ds​, ​I ​ha​ve​ f​ul​lc​ce​ss​ t​o ​yo​ur​ e​ma​il​ a​cc​ou​nt​.

I​ i​nf​ec​te​d ​yo​u ​wi​th​ a​ m​al​wa​re​ a​ f​ew​ m​on​th​s ​ba​ck​ w​he​n ​yo​u ​vi​si​te​d ​an​ a​du​lt​ s​it​e,​ a​nd​ s​in​ce​ t​he​n,​ I​ h​av​e ​be​en​ o​bs​er​vi​ng​ y​ou​r ​ac​ti​on​s.​

T​he​ m​al​wa​re​ g​av​e ​me​ f​ul​l ​ac​ce​ss​ a​nd​ c​on​tr​ol​ o​ve​r ​yo​ur​ s​ys​te​m,​ m​ea​ni​ng​, ​I ​ca​n ​se​e ​ev​er​yt​hi​ng​ o​n ​yo​ur​ s​cr​ee​n,​ t​ur​n ​on​ y​ou​r ​ca​me​ra​ o​r ​mi​cr​op​ho​n ​an​d ​yo​u ​wo​n'​t ​ev​en​ n​ot​ic​e ​ab​ou​t ​it​.

​I ​al​so​ h​av​e ​ac​ce​ss​ t​o ​al​l ​yo​ur​ c​on​ta​ct​s. ""


best regards 

  • I moved this post here and retitled it as it was a new question and one of our rules is "one question per thread."

    I don't know of a way to block these scams as there are rarely keywords in the Subject that you would want to filter on.

    Not only have I received many in English, I also speak French and German so I've received some in those languages also.  They all make the same claim.  In my case, it was a password phished three years ago and changed within 20 minutes.  The email headers show that my account was forged/spoofed and that the email did not come from the server that handles my email account.  Here's an example from one of the 30+ such scams I've received over the last nine months.

      Received: from [] (port=49104
     by with esmtp (Exim 4.82_1-5b7a7c0-XX)
     (envelope-from <>)
     id 1g8Xg2-0002U0-15
     for; Fri, 05 Oct 2018 16:30:26 -0500

    In this case, the .in means the email was sent from an infected computer in India.  If your headers don't include something telltale like that, I would go to to see that is in Hyderabad, India.

    My guess is that anyone reading this should change their password, but that it's extremely unlikely that they were hacked in the fashion suggested by the email.

    You can get a free account at and then report the Bitcoin address where the scammer told you to send money.

    Cheers - Bob

  • I am using an expression search to block messages using the phrase Bitcoin.

  • In reply to DouglasFoster:

    This works!  Thanks, Doug!  I can't believe that I missed the fact that the Expression Filter no longer just applies to the Subject.

    Unfortunately, when they did that, they didn't include the From: field in the header: In Anti-Spam, Expression-check everything after DATA or include From.  Well, well, well - according to that suggestion I made almost four years ago, I apparently knew then that the content was covered by the Expression Filter.

    Again, Doug, I can't tell you how glad I am that you're participating here!

    Cheers - Bob

    PS You will want to use [B|b]itcoin to ensure that you get both bitcoin and Bitcoin.

  • In reply to BAlfson:

    I use a webhost for my email needs and light webhosting.

    The rule below helps filter out most of this garbage that appears to be coming from myself.

    Basically it checks the headers to see if contains the name of my domain (, AND does NOT contain "107."  This is the first octet of my public ip.  If this evaluation is true then the email did not originate from my network and gets delivered into the spam folder.

    There are some caveats to this.  Cell phone service is att based so it too will start with the 107.  Say if I sent an email to myself from a verizon or comcast ip, it would get flagged as spam.